I've configured IPSEC Xauth PSK on RB2011UAS-2HnD-IN.
When I establish VPN connection from the Internet using Android 8.0 phone I can access resources both from the Internet and from the local network.
Everything is the same, when I'm connecting from within the local network. Everything changes, when I enable "Always on" in phone's VPN settings. "Always-on" connection established from Internet works just fine.
VPN connection establishes normally from local network but I cannot access any resources neither from local nor from global network. Moreover, I cannot ping router or any resource from phone and cannot ping phone from router neither by it's local addres (from 172.20.88.0/24) nor by it;s VPN address (from 172.20.89.0/24). As far as I can see there is packet traffic according to SAs' counters and sniffed traffic from WLAN.
Can you give me any idea what to look for to resolve issues with network access when VPN established from local network?
Policies:
Code: Select all
[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
0 T * group=default src-address=172.20.88.0/24 dst-address=172.20.89.0/24
protocol=all proposal=default template=yes
1 T group=default src-address=0.0.0.0/0 dst-address=172.20.89.0/24 protocol=all
proposal=default template=yes
2 DA src-address=0.0.0.0/0 src-port=any dst-address=172.20.89.243/32 dst-port=any
protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=46.163.165.251 sa-dst-address=94.25.176.14 proposal=default
ph2-count=1
Peer:
Code: Select all
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
1 R address=0.0.0.0/0 passive=yes auth-method=pre-shared-key-xauth
secret="***" generate-policy=port-strict policy-template-group=default
exchange-mode=main mode-config=cfg1 send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha256
enc-algorithm=aes-128,3des,des dh-group=modp1024 lifetime=30m
dpd-interval=2m dpd-maximum-failures=5
Mode Configs:
Code: Select all
[admin@MikroTik] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"
1 name="cfg1" system-dns=yes static-dns="" address-pool=ipsec
address-prefix-length=24
Proposal:
Code: Select all
[admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=30m
pfs-group=none
My local network IP range is 172.20.88.0/24 and VPN's range is 172.20.89.0/24.